b'         OFFICE OF INSPECTOR GENERAL \n\n\n\n\n                                  Catalyst for Improving the Environment\n\n\nAudit Report\n\n\n\n\n       EPA Could Improve Its\n       Information Security by\n       Strengthening Verification and\n       Validation Processes\n       Report No. 2006-P-00002\n\n       October 17, 2005\n\x0cReport Contributors: \t    Rudolph M. Brevard\n                          Charles Dade\n                          Cheryl Reid\n                          Jefferson Gilkeson\n                          Scott Sammons\n\n\n\n\nAbbreviations\n\nASSERT       Automated Security Self-Evaluation and Remediation Tracking\nEPA          Environmental Protection Agency\nC&A          Certification and Accreditation\nFISMA        Federal Information Security Management Act\nNIST         National Institute for Standards and Technology\nOIG          Office of Inspector General\nOMB          Office of Management and Budget\nPOA&Ms       Plans of Action and Milestones\n\x0c                        U.S. Environmental Protection Agency                                             2006-P-00002\n\n                        Office of Inspector General                                                    October 17, 2005\n\n\n\n\n\n                        At a Glance \n\n                                                                         Catalyst for Improving the Environment\n\nWhy We Did This Review\n                                    EPA Could Improve Its Information Security\nThe Federal Information             by Strengthening Verification and Validation\nSecurity Management Act\n(FISMA) requires the Office of      Processes\nInspector General to perform\nan independent evaluation of         What We Found\nthe Environmental Protection\nAgency\xe2\x80\x99s (EPA) information          Program offices had not effectively implemented processes to comply with\nsecurity program and practices.     Federal and EPA requirements related to information security. We found major\n                                    applications without: (1) adequate certification and accreditation, (2) contingency\nBackground                          plans or testing of the plans, and (3) a process to monitor for known security\n                                    vulnerabilities. As such, all security control deficiencies are not reported in\nWe selected a sample of the         EPA\xe2\x80\x99s Plans of Action and Milestones system. EPA could have discovered these\nEPA\xe2\x80\x99s major applications and        security deficiencies had it implemented processes to verify and validate offices\xe2\x80\x99\nevaluated:                          compliance with established Federal and Agency requirements. Therefore, the\n                                    Chief Information Officer is not receiving timely and accurate information with\n\xe2\x80\xa2 certification and accreditation   which to plan, implement, evaluate, and report its Information Technology\n  practices;                        security status and security remediation activities to Office of Management and\n\xe2\x80\xa2 system contingency plans;         Budget.\n  and\n\xe2\x80\xa2 program offices\xe2\x80\x99 processes to      What We Recommend\n  test and evaluate security\n  controls, including               We made four recommendations to the Director of EPA\xe2\x80\x99s Office of Technology\n  conducting vulnerability tests    Operations and Planning. These involved: (1) developing and implementing an\n  for known security threats.       ongoing oversight process to review major applications and related general\n                                    support systems for compliance with Federal and Agency requirements;\n                                    (2) developing and implementing processes to evaluate the effectiveness of\n                                    Independent Verification and Validation reviews; (3) developing a strategy for\nFor further information, contact\nour Office of Congressional and     reporting Independent Verification and Validation results to inform Assistant and\nPublic Liaison at (202) 566-2391.   Regional Administrators on the status of their security programs; and (4) ensuring\n                                    program offices establish Plans of Action and Milestones for all program office-\nTo view the full report,            specific deficiencies identified in subsequent reports related to this review.\nclick on the following link:\n\nwww.epa.gov/oig/reports/2006/       The Agency found the report to be an accurate reflection of the Agency security\n20051017-2006-P-00002.pdf           program and concurred with the findings and recommendations.\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n\n                                                                                       OFFICE OF \n\n                                                                                  INSPECTOR GENERAL\n\n\n\n\n                                        October 17, 2005\n\nMEMORANDUM\n\nSUBJECT:              EPA Could Improve Its Information Security by Strengthening\n                      Verification and Validation Processes\n                      Report No. 2006-P-00002\n\nFROM:                 Rudolph M. Brevard /s/\n                      Acting Director, Business Systems Audits\n\nTO:                   Kimberly T. Nelson\n                      Assistant Administrator for Environmental Information\n                        and Chief Information Officer\n\nThis is our final report on the information security controls audit conducted by the Office of\nInspector General (OIG) of the U.S. Environmental Protection Agency (EPA). This audit report\ncontains findings that describe problems the OIG has identified and corrective actions the OIG\nrecommends. This audit report represents the opinion of the OIG, and the findings in this audit\nreport do not necessarily represent the final EPA position. EPA managers, in accordance with\nestablished EPA audit resolution procedures, will make final determinations on matters in this\naudit report.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 90 calendar days of the date of this report. You should include a corrective action\nplan for agreed upon actions, including milestone dates. We have no objection to further release\nof this report to the public. For your convenience, this report will be available at\nhttp://www.epa.gov/oig.\n\nIf you or your staff has any questions regarding this report, please contact me at (202) 566-0893,\nor Charles Dade, Assignment Manager, at (202) 566-2575.\n\n\ncc: Mark Day, Director, Office of Technology Operations and Planning\n\x0c                                  Table of Contents \n\nAt a Glance\n\n\nChapters\n   1    Introduction ...........................................................................................................    1\n\n\n                Purpose .........................................................................................................   1              \n\n                Background ....................................................................................................     2              \n\n                Scope and Methodology.................................................................................              2              \n\n\n  2 \t EPA Could Improve Security Controls Reporting and Compliance by\n\n      Strengthening Verification and Validation Processes..........................................                                 4      \n\n\n                Plans of Action and Milestones Did Not Reflect Applications\xe2\x80\x99\n                   Security Status.. ........................................................................................       4\n\n                Application Certification and Accreditation Did Not Meet Guidelines .............                                   5\n\n                Contingency Planning Practices Had Deficiencies.........................................                            6\n\n                Testing and Evaluation of Security Controls Needs Improvement\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                                                  7\n\n                EPA Has Not Implemented Adequate Verification and Validation \n\n                   Processes for Systems\xe2\x80\x99 Security Controls.................................................                        8\n\n                EPA is Taking Steps to Improve Security Compliance Processes .................                                      8\n\n                Recommendations\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                                                                            9          \n\n                Agency Comments and OIG Evaluation \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                                                                9\n\n\n\n\n\nAppendices\n   A    Detailed Scope and Methodology........................................................................                      10         \n\n\n   B    Federal and Agency Criteria.................................................................................                13 \n\n\n   C    Agency Response to Draft Report\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                                                                         15 \n\n\n   D    Distribution \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6....................................................................                                17\n\n\x0c                                         Chapter 1\n                                          Introduction\n\nPurpose\n\n                We audited the Environmental Protection Agency\xe2\x80\x99s (EPA) information security\n                program and practices. We selected five major applications from EPA\xe2\x80\x99s fiscal\n                2005 business cases submitted to the Office of Management and Budget (OMB).\n                See Appendix A for a listing of the major applications. We evaluated whether the\n                program office for each selected application:\n\n                       \xe2\x80\xa2   complied with Federal and Agency requirements on certification and\n                           accreditation (C&A) practices;\n\n                       \xe2\x80\xa2   complied with Federal and Agency requirements on contingency plans;\n                           and\n\n                       \xe2\x80\xa2   implemented processes to test and evaluate security controls, which\n                           included conducting vulnerability tests for known security threats.\n\n                In addition, we evaluated the following additional security control areas.\n                We have reported the results from the first two areas in our fiscal 2005 Federal\n                Information Security Management Act (FISMA) report template submitted to\n                OMB:1\n\n                       \xe2\x80\xa2   hardware and Operating Systems configuration,\n\n                       \xe2\x80\xa2   security training adequacy for Information Security Officials and System\n                           Administrators, and\n\n                       \xe2\x80\xa2   program office expenditures of security control funds.\n\n                We will also provide results to each program office in separate reports. This\n                report provides the Office of Environmental Information with our findings on\n                information security controls, including deficiencies that require EPA Plans of\n                Action and Milestones (POA&Ms).\n\n\n\n\n1\n Report No. 2006-S-00001, Fiscal Year 2005 Federal Information Security Management Act Report, October 3,\n2005\n\n\n                                                     1\n\x0cBackground\n\n         Enacted into law on December 17, 2002, as Title III of the E-Government Act of\n         2002, FISMA defines specific information security requirements Federal agencies\n         must satisfy and assigns responsibilities to agency heads, senior agency officials,\n         and agency inspectors general for satisfying FISMA requirements. FISMA\n         requires that agencies develop policies and procedures commensurate with the\n         risk and magnitude of harm resulting from the malicious or unintentional\n         impairment of agency information assets.\n\n         EPA\xe2\x80\x99s Chief Information Officer is responsible for developing and overseeing\n         Agency-wide, risk-based, and cost-effective policies and procedures for\n         addressing information security. Senior Agency officials within EPA\xe2\x80\x99s program\n         and regional offices are responsible for enforcing security policies and procedures\n         by assessing potential risks and implementing operational and technical controls\n         that cost-effectively mitigate identified risks to Agency information assets.\n         Senior Agency officials are also responsible for implementing controls and\n         periodically testing and evaluating information security controls to ensure\n         continued compliance with Agency standards.\n\n         When a security control weakness is identified, Agency officials create POA&Ms,\n         which document the planned remediation process. EPA uses a central database,\n         the Automated Security Self-Evaluation and Remediation Tracking (ASSERT)\n         tool, to centrally track remediation of weaknesses associated with Information\n         Technology systems. ASSERT serves as the Agency\xe2\x80\x99s official record for\n         POA&Ms activity. The Agency reports POA&Ms activity to OMB quarterly.\n\nScope and Methodology\n         We conducted our field work from March 2005 to July 2005 at EPA Headquarters\n         in Washington, DC; the National Computer Center, Research Triangle Park,\n         North Carolina; and EPA\xe2\x80\x99s Region 3 in Philadelphia, Pennsylvania. We\n         interviewed Agency officials at all locations and contract employees at the\n         National Computer Center. We reviewed application security documentation to\n         determine whether it complied with selected requirements. We reviewed system\n         configuration settings and conducted vulnerability testing of servers for known\n         vulnerabilities. Appendix A has detailed information on our sample selection and\n         the specific scope and methodology applied for each security control area. We\n         reviewed relevant Federal and Agency information security requirements,\n         summarized in Appendix B. We conducted this audit in accordance with\n         Government Auditing Standards, issued by the Comptroller General of the United\n         States.\n\n         We evaluated the information security practices of five Agency program offices\n         by selecting a major application system within each program office. For each\n         selected application, we evaluated the following security controls:\n\n\n                                          2\n\n\x0c     \xe2\x80\xa2\t Security C&A practices -- We evaluated whether application security\n        plans, risk assessments, and authorizations for operation complied with\n        Federal and Agency requirements.\n\n     \xe2\x80\xa2\t Application contingency plans -- We evaluated whether application\n        contingency plans complied with Federal and Agency requirements,\n        specifically regarding: (1) general content headings, and (2) the\n        adequacy and frequency of tests performed on each plan.\n\n     \xe2\x80\xa2\t Processes used to test and evaluate security controls -- We evaluated\n        three areas of security controls: (1) physical controls, (2) contractor\n        personnel security screening, and (3) system vulnerability monitoring.\n\nThere were no pertinent issues that required follow up from prior audit reports.\n\n\n\n\n                                 3\n\n\x0c                                  Chapter 2\n    EPA Could Improve Security Controls Reporting\n     and Compliance by Strengthening Verification\n              and Validation Processes\n\n          EPA\xe2\x80\x99s POA&Ms were not consistent with the security controls status of the\n          applications we reviewed. We found major applications without:\n\n              \xe2\x80\xa2     adequate certification and accreditation,\n              \xe2\x80\xa2     contingency plans or testing of plans, and\n              \xe2\x80\xa2     adequate testing and evaluation of security controls.\n\n          EPA could have discovered these inconsistencies if it had implemented\n          verification and validation processes to review program offices\xe2\x80\x99 compliance with\n          established Federal and Agency requirements. Without these processes, EPA\n          mission-critical information systems may not be adequately protected against\n          known security vulnerabilities or be available in a timely manner in the event of\n          an emergency or disaster.\n\nPlans of Action and Milestones Did Not Reflect Applications\xe2\x80\x99 Security\nStatus\n          Our review disclosed that, in several cases, program offices did not report\n          POA&Ms information in EPA\xe2\x80\x99s ASSERT database. As a result, the Chief\n          Information Officer is not receiving timely, accurate, and complete POA&Ms\n          information with which to plan, implement, evaluate, and report EPA\xe2\x80\x99s\n          Information Technology security status and security remediation activities to\n          OMB.\n\n          As indicated in Table 1, and discussed in detail in subsequent sections, program\n          offices discovered and reported only 22 percent (4 out of 18) of the security\n          weaknesses we identified in our review.\n\n          Table 1. Application Security Deficiencies Identified Compared to Deficiencies Discovered\n          and Reported in EPA\xe2\x80\x99s ASSERT Database\n\n\n                                        Number of Identified           Number of Deficiencies\n                  Area Reviewed\n                                        Security Deficiencies      Reported by POA&Ms in ASSERT\n\n              Certification &\n                                                   10                              2\n            Accreditation (C&A)\n              Contingency Plan                     8                               2\n                      Total                        18                              4\n\n\n\n                                              4\n\n\x0cApplication Certification and Accreditation Did Not Meet Guidelines\n          Of the five applications we reviewed, none of the selected C&A packages fully\n          complied with Federal or Agency requirements. Certification is a comprehensive\n          assessment of a system\xe2\x80\x99s managerial, operational, and technical security controls\n          to determine whether the controls are implemented correctly, operating as\n          intended, and producing the desired outcome. Accreditation is the official\n          management decision to authorize operation of an information system and to\n          explicitly accept the risk to EPA\xe2\x80\x99s operations, assets, or personnel. By\n          accrediting an information system, senior Agency officials accept responsibility\n          for the security of the system and are fully accountable for any adverse impacts to\n          the Agency if a breach of security occurs. The C&A package includes documents\n          used by the authorizing official to approve an information system for operation.\n\n          Our review focused on whether each major application\xe2\x80\x99s: 1) security plan was\n          current, had been approved or re-approved within the last 3 years or after a major\n          system change, and contained accurate system status and application environment\n          information; and 2) C&A package contained a current independent review of\n          controls or a full, formal risk assessment. In addition, we evaluated whether\n          management explicitly authorized/re-authorized the application within the last\n          3 years or re-authorized the application for operation after a significant change in\n          processing before placing the system back into operation. We found 10 C&A\n          deficiencies in the following areas:\n\n             \xe2\x80\xa2   Four C&A packages with security plan deficiencies:\n\n                 \xc2\xbe one application operating with an expired security plan,\n                 \xc2\xbe one application operating with a security plan that was not updated\n                   when the system underwent major changes, and\n                 \xc2\xbe two applications operating with security plans that did not reflect\n                   current application status.\n\n             \xe2\x80\xa2\t Three C&A packages with independent review or risk assessment\n                deficiencies:\n\n                 \xc2\xbe one application operating under an expired risk assessment,\n                 \xc2\xbe one application operating without ever having undergone a risk\n                   assessment, and\n                 \xc2\xbe one application not re-assessing risks following a significant change in\n                   processing.\n\n             \xe2\x80\xa2   Three C&A packages with authorization to operate deficiencies:\n\n                 \xc2\xbe one application operating without written authorization,\n                 \xc2\xbe one application operating with an expired authorization, and\n                 \xc2\xbe one application that was not re-authorized after a major modification\n                   prior to placement back into production.\n\n\n                                           5\n\n\x0c          Based on our findings, senior Agency officials did not have a reasonable basis for\n          accrediting the applications. EPA places itself at greater risk because it could not\n          be sure that adequate steps have been taken to eliminate or mitigate risks.\n\nContingency Planning Practices Had Deficiencies\n          Four of the five applications we reviewed had contingency plan deficiencies.\n          Our review focused on whether the application owners had: 1) developed a\n          contingency plan and included contingency plan general content headings\n          consistent with National Institute for Standards and Technology (NIST)\n          guidelines, and 2) adequately tested the plan and documented the test results.\n          We found eight contingency plan deficiencies in the following areas:\n\n             \xe2\x80\xa2   Four contingency plan development-related deficiencies:\n\n                 \xc2\xbe two applications operating without a contingency plan, and\n                 \xc2\xbe two applications with contingency plans that were not updated to\n                   reflect major changes made to the system.\n\n             \xe2\x80\xa2   Four contingency plan testing-related deficiencies:\n\n                 \xc2\xbe\t four applications had not tested their plans due to the lack of a\n                    contingency plan, or the contingency plan was not updated when the\n                    application underwent major changes.\n\n          Program offices had not reported 75 percent (six of eight) of the contingency plan\n          deficiencies identified in our review.\n\n          In addition, we reviewed the contingency planning efforts for one application that\n          was widely distributed throughout the EPA\xe2\x80\x99s Headquarters, regions, and finance\n          centers. Our review determined that the application\xe2\x80\x99s program office had\n          established POA&Ms to manage two security deficiencies. However, over\n          several years, the program office took no action to correct these deficiencies.\n\n          An adequately documented and tested contingency plan would enable EPA to\n          recover quickly and effectively following a service disruption or disaster. Lack of\n          a tested contingency plan may cause mission critical systems to not be available\n          in a timely manner in the event of, or just after, an emergency or disaster.\n\n\n\n\n                                            6\n\n\x0cTesting and Evaluation of Security Controls Needs Improvement\n          While the physical controls for server rooms and contractor background screening\n          procedures were adequate, the process to monitor servers for high-risk\n          vulnerabilities needs improvement.\n\n          Physical Controls of Server Rooms and Contractor Background\n          Screening Processes Were Effective\n\n          Program offices effectively implemented physical controls for the server rooms\n          we evaluated. In particular, we examined fire, temperature, and physical access\n          controls for each server room we evaluated. We did not assess these controls at\n          the Research Triangle Park campus since these areas are currently under review in\n          another audit. Although we found contractor background security screening\n          processes effective, we identified where EPA could improve its procedures. We\n          will issue a separate memorandum outlining our concerns.\n\n          Process for Monitoring Servers for Known Vulnerabilities Could Be\n          Improved\n\n          Although we found many of the program offices had implemented processes to\n          monitor system activity by activating system-logging features and assessing\n          system configuration settings, EPA could improve its processes for monitoring\n          servers to detect and correct known vulnerabilities. Our vulnerability tests\n          discovered 130 high-risk vulnerabilities on the servers scanned with our\n          vulnerability scanner. We provided our test results to the appropriate program\n          offices and EPA took immediate actions to remediate the risks.\n\n          EPA has not implemented monitoring for 21 percent (6 of 29) of the reviewed\n          servers. Table 2 compares the number of vulnerabilities discovered on monitored\n          versus unmonitored servers, as well as the average number of vulnerabilities per\n          server. As noted, unmonitored servers had, on average, 72 percent more\n          vulnerabilities than monitored servers.\n\n          Table 2. Vulnerabilities Discovered for Monitored Versus Unmonitored Servers\n\n\n                              Number of      Number of Discovered        Average Number of\n                               Servers          Vulnerabilities        Vulnerabilities per Server\n\n\n              Monitored           23                  90                          3.9\n\n\n             Unmonitored           6                  40                          6.7\n\n\n                 Total            29                  130                          -\n\n\n\n\n                                             7\n\n\x0c          Routine tests of systems to verify that the security settings are configured\n          correctly, according to established policies, is widely recognized as a preventive\n          step that could reduce security incidences from occurring. Without processes to\n          monitor servers, EPA mission-critical information systems may not be adequately\n          protected against known security vulnerabilities. Exploiting these vulnerabilities\n          could have a serious or severe adverse effect on EPA operations, assets, or\n          individuals.\n\nEPA Has Not Implemented Adequate Verification and Validation\nProcesses for Systems\xe2\x80\x99 Security Controls\n          EPA had not established an ongoing process to review major applications for\n          compliance with Federal and Agency requirements. In December 2002, EPA\n          outlined a thorough process to conduct Independent Verification and Validation\n          of annual system security self-assessments and POA&Ms. However, EPA had\n          not taken steps to conduct activities or commit resources to ensure completion of\n          many of the actions outlined in the \xe2\x80\x9cSecurity Oversight Processes\xe2\x80\x9d manual.\n\n          Information systems also go through limited security compliance reviews during\n          EPA\xe2\x80\x99s Capital Planning and Investment Control process, but these reviews have\n          not successfully identified security control weaknesses. EPA designed its Capital\n          Planning and Investment Control process to analyze, track, and evaluate the risks\n          and results of all major capital investments for information systems. However,\n          the review process was not effective in identifying security weaknesses and\n          ensuring program offices created POA&Ms to report and manage the mitigation\n          of significant security weaknesses.\n\nEPA is Taking Steps to Improve Security Compliance Processes\n          In subsequent talks, Agency officials indicated that EPA has taken steps to\n          improve its screening of security information contained in business cases. For the\n          fiscal 2007 CPIC process, EPA reassigned this function from contractor support\n          to Technical Information Security Staff. However, the process may be\n          insufficient because Agency officials indicated the process does not require\n          Technical Information Security Staff to:\n\n             \xe2\x80\xa2\t review the supporting documentation for the business case\xe2\x80\x99s security\n                information,\n             \xe2\x80\xa2\t conduct tests to independently verify and validate the business case\xe2\x80\x99s\n                security status, or\n             \xe2\x80\xa2\t verify and validate security requirements for systems that are not required\n                to submit a business case \xe2\x80\x93 EPA\xe2\x80\x99s CPIC Lite submissions.\n\n          EPA is also taking further steps to enhance its Independent Verification and\n          Validation practices. Agency officials indicated that Technical Information\n          Security Staff committed resources to increase Independent Verification and\n\n\n                                           8\n\n\x0c         Validation activities. EPA provided our office with notification memorandums\n         outlining planned security reviews to begin in July 2005. EPA\xe2\x80\x99s memorandums\n         indicate Technical Information Security Staff will verify and validate a sample of\n         systems\xe2\x80\x99 security plans, POA&Ms, and subsections of the systems\xe2\x80\x99 self-\n         assessments.\n\nRecommendations\n         We recommend that the Director, Office of Technology Operations and Planning:\n\n         1. \t Develop and implement an ongoing oversight process to verify and validate\n              security controls of major applications and related general support systems for\n              compliance with Federal and Agency standards, and ensure program offices\n              create POA&Ms for all identified weaknesses. The ongoing oversight process\n              should contain:\n\n            a.\t criteria and processes to monitor and ensure program offices\n                independently assess or reassess new or changed systems prior to\n                authorization/reauthorization to operate - either through the CPIC process\n                or Independent Verification and Validation,\n\n            b.\t requirements to review a sample of completed POA&Ms, and\n\n            c.\t requirements to verify that corrective actions effectively corrected\n                identified deficiencies.\n\n         2. \t Develop and implement processes to evaluate the effectiveness of\n              Independent Verification and Validation reviews.\n\n         3. \t Develop a strategy for reporting Independent Verification and Validation\n              results to inform Assistant and Regional Administrators on the status of their\n              security programs.\n\n         4.\t Ensure program offices establish POA&Ms for all program office-specific\n             deficiencies identified in subsequent reports related to this review.\n\nAgency Comments and OIG Evaluation\n         In general, the Agency found the draft report was an accurate reflection of its\n         security program and concurred with the findings and recommendations, with the\n         exception of the section discussing the Contractor Background Screening\n         Processes. Office of Environmental Information provided the OIG additional\n         information regarding their processes, and we modified the report.\n\n\n\n\n                                           9\n\n\x0c                                                                                       Appendix A\n\n                   Detailed Scope and Methodology\n\n\nApplication Selection\nWe initially selected the following six major applications from among EPA\xe2\x80\x99s 25 fiscal 2005\nbusiness cases submitted to OMB:\n\n                         System Name                                 Program Office\n     Clean Air Markets Division Business Systems (CAMDBS)    Office of Air and Radiation\n     Integrated Compliance Information System (ICIS)         Office of Enforcement and\n                                                             Compliance Assurance\n     Comprehensive Environmental Response,                   Office of Solid Waste and\n     Compensation, and Liability Information System          Emergency Response\n     (CERCLIS)\n     Safe Drinking Water Information System (SDWIS)          Office of Water\n     Integrated Contract Management System (ICMS)            Office of Administration and\n                                                             Resources Management\n     National Geospatial Program (GEO/GIS)                   Office of Environmental\n                                                             Information\n\n\n\nWe chose applications that were in an operational status, represented different Agency program\noffices, and had the highest budgeted fiscal 2005 costs for application operation and maintenance\nfor each office selected. We eliminated the National Geospatial Program application from our\nsample because we discovered (after detailed review of the business case and interview with\nprogram officials) that this business case was not an actual information system and proceeded to\nreview the remaining five applications against the specified criteria.\n\nWe excluded financial applications owned by the Office of the Chief Financial Officer from our\nsample because this office\xe2\x80\x99s applications are currently undergoing review in the financial\nstatement audit, and the OIG will report deficiencies in these applications separately.\n\n\n\n\n                                                10\n\n\x0cCertification and Accreditation\nTo evaluate application security C&A practices, we reviewed three areas:\n\n       \xe2\x80\xa2\t Application Security Plans -- For this area we evaluated whether the security plan\n          met the following three criteria:\n\n           o\t was approved or reapproved within 3 years or after a major application change,\n           o\t accurately reflected the current status of the application, and\n           o\t accurately described the current application environment.\n\n       \xe2\x80\xa2\t Independent Reviews, Audits of Application Security Controls, Application Risk\n          Assessments -- For this area we evaluated whether EPA had evidence of completing\n          either:\n\n           o\t a current independent review or audit of security controls, within the previous\n              3 years or after a major application change, as set forth by Appendix III of OMB\n              Circular A-130 under security controls for major applications; or\n           o\t a full and formal risk assessment at least every 3 years or after a major\n              application change, as specified by the EPA Agency Network Security Manual\n              2195.1A4.\n\n           Although the C&A process requires both 1) an independent review or audit of\n           security controls and 2) a full and formal risk assessment at least every 3 years, for\n           purposes of our review, we only verified whether the program offices had one or the\n           other.\n\n       \xe2\x80\xa2\t Written Authorizations for Application Operation -- For this area we evaluated\n          whether EPA had:\n\n           o\t written authorization for each application prior to placing the application into\n              operation and/or re-authorization for processing at least every 3 years as required\n              by Appendix III of OMB Circular A-130, or\n           o\t written re-authorization for each application prior to placing the application back\n              into operation after "a significant change in processing" as required by Appendix\n              III of OMB Circular A-130.\n\nWe interviewed application managers and system security officials to gain an understanding of\nthe current system operating environment and to assess the significance of ongoing changes to\nthe system environment. We evaluated whether security plans, risk assessments, and\nauthorizations were current and whether the actual system operating environment matched the\nenvironment described in the application security plan.\n\n\n\n\n                                                11\n\n\x0cContingency Plans\nWe evaluated contingency plans, security plans with contingency planning sections, and other\ndocuments that are commonly prepared for contingency planning to determine if they complied\nwith the criteria. We specifically reviewed the plans for the broad, overarching subheadings that\nNIST criteria deems as being part of a complete contingency plan (e.g., Purpose, Applicability,\nScope, References/Requirements, Record of Change, System Description, Line of Succession,\nand Responsibilities). To determine whether program offices tested contingency plans, we\nrequested and reviewed documentation of tests performed within the past year.\n\n\n\nTesting of Security Controls\nWe reviewed physical security measures and processes to monitor servers for known\nvulnerabilities. To review physical security measures, we examined fire, temperature, and\nphysical access controls to determine if these controls existed for each server room we evaluated.\nWe confirmed the presence of fire suppression systems and alarms. To evaluate server\nmonitoring, we examined documents related to system monitoring and scanning, such as reports\nfrom scanning tools and screen prints of system logs; monitoring and configuration applications;\nand patch management tools associated with each server evaluated. To evaluate contractor\nbackground screenings, we obtained documents showing the current status of background\nscreenings for the contractor personnel included within our review.\n\nWe used the Internet Security Scanner and NESSUS vulnerability assessment tools to identify\ncomputers and open ports susceptible to attack and provide information on the associated\nvulnerabilities and risk mitigation strategies. The Internet Security Scanner is a network-based\nvulnerability-scanning tool that identifies security holes on network hosts. NESSUS is a\nfreeware network-based vulnerability-scanning tool that identifies security holes on network\nhosts. We conducted testing at EPA\xe2\x80\x99s Headquarters, Region 3, and Research Triangle Park. We\ninterviewed responsible system owners and provided results to Agency officials for comments.\n\nTable 2 of our report contains only the High Risk vulnerabilities identified by the scanning tools.\nFor password vulnerabilities, we counted one vulnerability per server, although there may have\nbeen more than one instance of the same vulnerability. We did not count expired passwords that\nwere under 90 days old as vulnerabilities. We did not report vulnerabilities identified as Medium\nor Low Risks or test results described as Informational. However, we shared the complete\nvulnerability test results to the system owners and administrators.\n\n\n\n\n                                                12\n\n\x0c                                                                                     Appendix B\n\n                        Federal and Agency Criteria\nOMB Circular A-130, Appendix III, Security of Federal Automated Information Resources\nrequires a management official to accredit (authorize to operate), in writing, the use of an\nautomated system by confirming that its security plan, as implemented, adequately secures the\napplication. The management official must factor in the results of the most recent review or\naudit of security controls when accrediting the system. The management official must accredit\nthe application prior to its placement into operation and re-accredit the application at least every\n3 years, or after major system changes. Major applications must undergo an independent review\nor audit of the security controls at least every 3 years. The Circular establishes the requirement\nfor all major applications to have security plans.\n\nFederal Information Processing Standards Publication 102, Guideline for Computer\nSecurity Certification and Accreditation, September 1983, and NIST Special Publication\n800-37, Guide for the Security Certification and Accreditation of Federal Information\nSystems, May 2004. These documents provide guidelines for establishing formal processes for\ncertifying and accrediting computer applications as required by OMB Circular A-130, Appendix\nIII. A security certification consists of an evaluation of an application \xe2\x80\x93 including an assessment\nof the managerial, operational, and technical controls \xe2\x80\x93 to see how well these controls meet\nsecurity requirements. A security accreditation is the official management decision given by a\nsenior Agency official to authorize operation of an information system and to explicitly accept\nthe risk to Agency operations, assets, or personnel based on the implementation of an agreed-\nupon set of security controls. NIST 800-37 also requires continuous monitoring of system\nsecurity controls and reporting security status to appropriate Agency officials.\n\nNIST Special Publication 800-34, Contingency Planning Guide for Information Technology\nSystems, June 2002, maps out guidelines for a complete Information Technology contingency\nplan as well as testing of the plan. The guidelines specify that contingency plans contain the\nfollowing sections: Purpose, Applicability, Scope, References/Requirements, Record of Change,\nSystem Description, Line of Succession, and Responsibilities. Appendix C states that testing of\nthe contingency plan should occur at least annually and upon significant changes to the\nInformation Technology system, supported business processes, or the Information Technology\ncontingency plan.\n\nEPA Directive 2195A1, EPA Information Security Manual, December 1999, requires each\nprimary organization head to ensure that all general support systems and major applications have\nsecurity plans in place and update the plan at least every 3 years or when significant change\noccurs. Appendix A establishes the requirement to develop and test contingency plans.\n\nEPA Order 2195.1 A4, Agency Network Security Policy, March 2001, requires that EPA data\ncommunications network resources be documented, monitored, tested, evaluated, and verified to\nensure adequate security in accordance with information sensitivity and other Federal and\nAgency requirements. A program of continuous monitoring, detecting, and auditing with\ncorresponding tracking capabilities and reporting is required for all EPA data communications\n\n\n                                                13\n\n\x0cnetwork entry and exit points. This program must contain procedures for adequate and timely\nresponse to intruders and other unauthorized activities. The Order requires major application\nmanagers to conduct and update risk assessments at least every 3 years or whenever a\nsubstantive configuration change occurs.\n\nEPA Risk Assessment Procedures, February 2004, require system owners to perform a full\nformal risk assessment on all major applications included in OMB Exhibit 300 submissions\nbefore a system is placed in operation and at least every 3 years thereafter.\n\n\n\n\n                                               14\n\n\x0c                                                                                   Appendix C\n\n                  Agency Response to Draft Report\n\n\n                             UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                          WASHINGTON, D.C., 20460\n\n\n\n\n                                                                                           OFFICE OF\n                                                                                    ENVIRONMENTAL INFORMATION\n\n\n\n                                           September 29, 2005\n\n\nMEMORANDUM\n\nSUBJECT:       Technical Information Security Staff Comments on the Draft Report: EPA Could\n               Improve Its Information Security by Strengthening Verification and Validation\n               Processes,\n               Assignment No: 2005-000661\n\nFROM:          Kimberly T. Nelson /s/\n               Assistant Administrator and Chief Information Officer\n\nTO: \t          Nikki L. Tinsley\n               Inspector General\n\n       We appreciate the opportunity to review and provide comments on the Draft Report,\n\xe2\x80\x9cEPA Could Improve its Information Security by Strengthening Verification and Validation\nProcesses.\xe2\x80\x9d Our comments address the factual accuracy of the draft report and include our\nconcurrence or non-concurrence with the findings and recommendations.\n\n       In general, we found the report was an accurate reflection of the Agency security\nprogram especially in light of our follow-on discussions with your office and the information\ntechnology system owners for the systems reviewed. We concur with the findings and\nrecommendations.\n\n      If you or your staff have any questions regarding this report, please contact me at\n202-566-0304 or Marian Cody at 202-566-0302.\n\n\n\n\n                                               15\n\n\x0ccc:   Rudolph Brevard (2421T)\n      Mark Day (2831T)\n      Myra Galbreath (2831T)\n      Karen Maher (2831T)\n      George Bonina (2831T)\n      Marian Cody (2831T)\n      Barbara Chancey (2831T)\n      John Gibson (N276-01)\n      Melissa Heist (2421T)\n      Kim Farmer (2831T)\n      Bob Trent (2812T)\n      Cheryl Reid (N283-01)\n\n\n\n\n                                16\n\x0c                                                                                Appendix D\n\n\n                                    Distribution\nOffice of the Administrator\nAssistant Administrator for Environmental Information and Chief Information Officer\nAssistant Administrator for Administration and Resources Management\nAssistant Administrator for Air and Radiation\nAssistant Administrator for Enforcement and Compliance Assurance\nAssistant Administrator for Solid Waste and Emergency Response\nAssistant Administrator for Water\nDirector, Office of Technology Operations and Planning\nSenior Agency Information Security Officer\nDirector, National Technology Services Division\nAssociate Director, Technical Information Security Staff\nOperations Security Manager, National Technology Services Division\nAudit Coordinator, Office of Environmental Information\nAudit Coordinator, Technical Information Security Staff\nAudit Coordinator, Office of Administration and Resources Management\nAudit Coordinator, Office of Air and Radiation\nAudit Coordinator, Office of Enforcement and Compliance Assurance\nAudit Coordinator, Office of Solid Waste and Emergency Response\nAudit Coordinator, Office of Water\nAgency Followup Official (the CFO)\nAgency Followup Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nInspector General\n\n\n\n\n                                             17\n\n\x0c'